In the wake of the OPM hack, where reports suggest that millions of security clearance records headed directly to Chinese intelligence units, let’s talk about remote administrator tools (RATs). These tools are commonly used in this type of attack, so we'll walk through a common methodology for identifying unknown RATs.

In the broadest sense, RATs are used to remotely access and control computers. System administrators often use these tools for good, but black hats develop specialized RATs that infect, hide, and act as back doors.

Malicious RATs like PlugX, Gh0st, Korplug, Gulpix, Sogu, Thoper, and Destory can be built as zero day attacks that avoid signature detection. The Gh0st RAT user interface (UI), shown below, gives some insight into how easily hackers can build zero day variants to infect sensitive machines. Once infected, command-and-control can be established from anywhere on the internet, with traffic re-routed through servers to avoid identification of the true perpetrator.

You’ve seen it in a dozen movies: a character commits a
crime, is ID’ed on security camera footage, then dyes her hair to alter her appearance
in hopes of evading capture. The m.o. is the same for polymorphic
malware—malicious software that’s constantly evolving or changing in order to
evade signature detection or blacklisting solutions. Although it’s not a new
addition to the hacker’s arsenal, the use of polymorphic malware has lately become a
favorite and highly dangerous tactic of organized cyber crime groups.

Black hats know that, if you change code enough, it will be
unrecognizable to intrusion prevention systems that rely on code “signatures”
or hashes. This is why we created and patented the Entropy Near-Match Analyzer—part of EnCase Cybersecurity—a few years back: to help incident responders find polymorphic variants of
binaries based on a different type of measurement.